US12278811B2ActiveUtilityA1

Securing in-vehicle service oriented architecture with mac generate allow list

46
Assignee: GM GLOBAL TECH OPERATIONS LLCPriority: Dec 1, 2022Filed: Dec 1, 2022Granted: Apr 15, 2025
Est. expiryDec 1, 2042(~16.4 yrs left)· nominal 20-yr term from priority
H04L 63/20H04L 63/083H04L 67/52H04L 67/12H04L 63/08
46
PatentIndex Score
0
Cited by
10
References
20
Claims

Abstract

An electronic control unit (ECU), or node, is configured to use a single key for generating requests from a security peripheral for a MAC. The security peripheral includes the stored shared key. The security peripheral may further include a policy enabling it to detect if a request from the V-ECU is valid, in which case it generates a MAC. The security peripheral is also used to store information in a MAC Generate Allow List (MGAL). In some embodiments, the receiving nodes in a network receive data based on a security peripheral's response to a transmit nodes requests for a MAC. The receiving nodes use this knowledge to avoid being spoofed.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A system comprising:
 a host; 
 a security peripheral, wherein:
 the security peripheral includes a generation module, a verification module, a generation allow list, a transceiver, and a processor coupled to a memory; 
 the memory is operational to store a plurality of verification keys and a plurality of generation keys; 
 the plurality of generation keys includes a dedicated key used by the host to request generation of a first message authentication code; 
 the security peripheral is operational to determine if the host is permitted to transmit a first message in response to a transmit request and a first key serial number; 
 the first key serial number identifies the dedicated key of the plurality of generation keys; 
 the generation module is operational to generate the first message authentication code based on (i) the dedicated key and (ii) a policy in the generation allow list, and not generate the first message authentication code if a message identifier of the host is not in the generation allow list; 
 the transceiver is operational to transmit to a particular receiver the first message authentication code and the first key serial number in the first message; 
 the transceiver is further operational to receive from a distinct host a second message that includes a second message authentication code and a second key serial number; 
 the security peripheral is further operational to determine if the host is permitted to accept the second message; 
 the second key serial number identifies a second particular one of the plurality of verification keys; and 
 the verification module is operational to verify that the second message is acceptable based on the second message authentication code and the second particular verification key; and 
 
 a plurality of receivers, wherein:
 each receiver is operational to receive a plurality of messages from the host; 
 the particular receiver of the plurality of receivers is operational to receive the first message from the host; 
 the particular receiver is further operational to obtain knowledge regarding a relative trustworthiness of the host based at least in part on a type of service to be sent for authentication; and 
 relocation or movement of one or more among the host and the plurality of receivers to a geographically different location relies on a relative trustworthiness of the host without making substantive changes to the plurality of receivers. 
 
 
     
     
       2. A node comprising:
 a processor coupled to a memory, wherein the memory is operational to store a plurality of verification keys and a plurality of generation keys; 
 a security peripheral that includes a generation module and a verification module; and 
 a transceiver, wherein:
 the security peripheral is operational to determine if the node is permitted to transmit a first message in response to a transmit request and a first key serial number; 
 the first key serial number identifies a first particular one of the plurality of generation keys; 
 the generation module is operational to generate a first message authentication code based on the first particular generation key where the node is permitted to transmit the first message; 
 the transceiver is operational to transmit to a target node the first message authentication code and the first key serial number in the first message; 
 the transceiver is further operational to receive from a distinct node a second message that includes a second message authentication code and a second key serial number; 
 the security peripheral is further operational to determine if the node is permitted to accept the second message; 
 the second key serial number identifies a second particular one of the plurality of verification keys; and 
 the verification module is operational to verify that the second message is acceptable based on the second message authentication code and the second particular verification key. 
 
 
     
     
       3. The node of  claim 2 , wherein:
 the security peripheral includes a generation allow list that contains information which determines if the generation module is permitted to generate the first message authentication code. 
 
     
     
       4. The node of  claim 3 , wherein:
 a table used to build the generation allow list is based on a plurality of security peripheral key serial numbers and a plurality of key use flags. 
 
     
     
       5. The node of  claim 4 , wherein:
 the first key serial number acts as a pointer into the generation allow list to access the first particular generation key. 
 
     
     
       6. The node of  claim 5 , wherein:
 the first key serial number in the first message transmitted by the node is suitable for the target node to verify that the first message is acceptable. 
 
     
     
       7. The node of  claim 6 , wherein:
 the first key serial number is positioned after a payload packet in the first message. 
 
     
     
       8. The node of  claim 3 , wherein;
 when offering a new service, the generation allow list is operational to be updated via a signed calibration or firmware update authenticated prior to use. 
 
     
     
       9. An in-vehicle network comprising:
 a bus; and 
 a plurality of electronic control units couped to the bus, wherein:
 each particular one of the plurality of electronic control units includes a security peripheral, a processor coupled to a memory, and a transceiver coupled to the bus: 
 the memory is operational to store a plurality of verification keys and a plurality of generation keys; 
 the security peripheral includes a generation module and a verification module; 
 the security peripheral is operational to determine if the particular electronic control unit is permitted to transmit a first message in response to a transmit request and a first key serial number; 
 the first key serial number identifies a first particular one of the plurality of generation keys; 
 the generation module is operational to generate a first message authentication code based on the first particular generation key where the particular electronic control unit is permitted to transmit the first message; 
 the transceiver is operational to transmit via the bus to a target electronic control unit of the plurality of electronic control units the first message authentication code and the first key serial number in the first message; 
 the transceiver is further operational to receive via the bus from a distinct electronic control unit of the plurality of electronic control units a second message that includes a second message authentication code and a second key serial number; 
 the security peripheral is further operational to determine if the particular electronic control unit is permitted to accept the second message; 
 the second key serial number identifies a second particular one of the plurality of verification keys; 
 the verification module is operational to verify that the second message is acceptable based on the second message authentication code and the second particular verification key; and 
 one or more of the plurality of electronic control units is relocatable within the in-vehicle network without software upgrades. 
 
 
     
     
       10. The in-vehicle network of  claim 9 , wherein:
 a newly positioned transmit node in the in-vehicle network is operational to receive a secure firmware update to authenticate another security peripheral prior to use. 
 
     
     
       11. The in-vehicle network of  claim 9 , wherein:
 the security peripheral is operational to use a generation allow list based on a plurality of bit masks to choose nodes in the in-vehicle network to which a plurality of entries in the generation allow list apply for non-service discovery messages. 
 
     
     
       12. The in-vehicle network of  claim 9 , wherein:
 a transmit message generated by each of the plurality of electronic control units includes a key serial number after a payload. 
 
     
     
       13. The node of  claim 2 , wherein:
 the target node is operational to determine a local verification key based on the first key serial number received in the first message; 
 the local verification key matches the first particular generation key; and 
 the first message is verified based on the local verification key. 
 
     
     
       14. The node of  claim 3 , wherein:
 the generation allow list includes a plurality of historical records of what the node is allowed to transmit. 
 
     
     
       15. The node of  claim 3 , wherein:
 the generation allow list includes one or more policies that determine if the node is permitted to transmit the first message. 
 
     
     
       16. The node of  claim 15 , wherein:
 the one or more policies determine if the target node is allowed to receive the first message. 
 
     
     
       17. The node of  claim 15 , wherein:
 the one or more policies determine what subject matter the node is permitted to transmit. 
 
     
     
       18. The node of  claim 17 , wherein:
 the transmit request includes one or more security-related information elements. 
 
     
     
       19. The node of  claim 18 , wherein:
 the transmit request further includes a type of service being requested. 
 
     
     
       20. The node of  claim 19 , wherein:
 the transmit request further includes a type of data to be transmitted.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.